Well, this has nothing to do with struts itself. Well, the basic thing to do is to have a form with a username and password fields, and it submits to an action that authenticates the user. The action authenticates the user by comparing the username and password with those in database or LDAP, preferably with encryption. Of course a lot of other things can be done, like using JAAS, ACEGI, using a central authenticating server like CAS.

The http://faq.javaranch.com/java/TomcatFaq has a section on web app security. While some of it (the stuff about setting up realms) is Tomcat-specific, most of it applies to all web apps (and other servers have mechanisms similar to realms).